Gathering Cyber Threat Intelligence from Twitter Using Novelty Classification - arXiv
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Gathering Cyber Threat Intelligence from Twitter
Using Novelty Classification
Ba-Dung Le Guanhua Wang Mehwish Nasim M. Ali Babar
School of Computer Science School of Computer Science School of Mathematical Sciences School of Computer Science
University of Adelaide University of Adelaide University of Adelaide University of Adelaide
Adelaide, Australia Adelaide, Australia Adelaide, Australia Adelaide, Australia
badung.le@adelaide.edu.au guanhua.wang@adelaide.edu.au mehwish.nasim@adelaide.edu.au ali.babar@adelaide.edu.au
arXiv:1907.01755v2 [cs.CR] 5 Sep 2019
Abstract—Preventing organizations from Cyber exploits needs cations and actionable advice, about an existing or emerging
timely intelligence about Cyber vulnerabilities and attacks, re- menace or hazard to assets that can be used to inform decisions
ferred to as threats. Cyber threat intelligence can be extracted regarding the subject’s response to that menace or hazard” [3].
from various sources including social media platforms where
users publish the threat information in real-time. Gathering Threat intelligence in Cyber security domain, or Cyber threat
Cyber threat intelligence from social media sites is a time- intelligence, provides timely and relevant information, such as
consuming task for security analysts that can delay timely signatures of the attacks, that can help reduce the uncertainty
response to emerging Cyber threats. We propose a framework for in identifying potential security vulnerabilities and attacks.
automatically gathering Cyber threat intelligence from Twitter Cyber threat intelligence can generally be extracted from
by using a novelty detection model. Our model learns the
features of Cyber threat intelligence from the threat descriptions overt or formal sources, which officially release threat infor-
published in public repositories such as Common Vulnerabilities mation in structured data format. Structured threat intelligence
and Exposures (CVE) and classifies a new unseen tweet as either adhere to a well-defined data model, with common format and
normal or anomalous to Cyber threat intelligence. We evaluate structure, such as an XML schema. Structured Cyber threat
our framework using a purpose-built data set of tweets from 50 intelligence, therefore, can be easily parsed by security tools to
influential Cyber security-related accounts over twelve months (in
2018). Our classifier achieves the F1-score of 0.643 for classifying analyze and respond to security threats accordingly. Examples
Cyber threat tweets and outperforms several baselines including of formal sources of Cyber threat intelligence include the
binary classification models. Analysis of the classification results Common Vulnerabilities and Exposures (CVE) database [4]
suggests that Cyber threat-relevant tweets on Twitter do not often and the National Vulnerability Database (NVD) [5]. Fig. 1
include the CVE identifier of the related threats. Hence, it would shows an example of the entries in the CVE database relating
be valuable to collect these tweets and associate them with the
related CVE identifier for Cyber security applications. to a threat. Each CVE entry has an identifier (ID) that includes
the prefix ‘CVE’, the year that the CVE entry was created
Keywords-Cybersecurity, Cyber threat, open source intelli- or published and a sequence number of four or more digits.
gence, OSINT, Twitter
A CVE entry also has a brief description of the threat that
generally includes the information about the affected product,
I. I NTRODUCTION
versions and vendor, the threat type and the impact, method
Recently, there has been an increasing reliance on the and inputs of an attack. However, some of these details may
Internet for business, government, and social interactions as not be included in a CVE description if the information is not
a result of a trend of hyper-connectivity and hyper-mobility. available at the publishing time.
While the Internet has become an indispensable infrastructure Cyber threat intelligence is also available on covert or
for businesses, governments, and societies, there is also an informal sources, such as public blogs, dark webs, forums
increased risk of Cyber attacks with different motivations and and social media platforms. Informal sources allow any person
intentions. For examples, a U.S. government report [1] shows or entity on the Internet to publish, in real-time, the threat
that there was an average of more than 4000 ransomware information in natural language, or unstructured data format.
attacks per day in 2016 - a four fold increase compared to The unstructured and publicly available threat intelligence
2015. According to Cybersecurity Ventures [2], Cyber crime are also called Open Source Intelligence (OSINT) [6]. Cyber
will continue to rise with a combined cost to businesses security related OSINT are early warning sources for Cyber
globally more than $6 trillion annually by 2021. Therefore, security events such as security vulnerability exploits [7].
Cyber security has become a critically important area of For examples, in June 2017, the global ransomware outbreak
research and practice over the last few years. of ‘Petya/NotPetya’ was discussed widely via Twitter before
Preventing organizations from Cyber exploits needs timely being reported by mainstream media [8]. To prioritize response
intelligence about Cyber vulnerabilities and attacks, referred to Cyber threats, Cyber security analysts must quickly de-
to as threats. Threat intelligence is defined as “evidence-based termine the emerging threats that are currently discussed on
knowledge, including context, mechanisms, indicators, impli- public sources. However, gathering Cyber OSINT is a time-Fig. 1. An example of the entries in the CVE database
consuming task as natural language is ambiguous and difficult metric for classifying Cyber threat tweets. To our knowledge,
for security tools to parse. Any delay in taking suitable actions our approach outperformed several baselines including binary
against a security vulnerability, threat, or attack can lead to classification models. We have analyzed the correctly classified
more loss. Cyber threat tweets and discovered that 81 of them do not
The work reported in this paper has focused on collecting contain a CVE identifier. We have also found that 34 out of
and analyzing data from Twitter, which allows its users to the 81 tweets can be associated with a CVE identifier included
post 280 character long messages, called tweets. Twitter is a in the top 10 most similar CVE descriptions of each tweet.
main source for Cyber OSINT as many Cyber security experts The highlights of this work are:
are using this open platform to disseminate information about • An automated framework for detecting Cyber threat
Cyber threats [9]. Fig. 2 shows a few examples of Cyber threat- tweets on Twitter using novelty classification
relevant tweets on Twitter. The first tweet summarizes the CVE • An evaluation of our framework on a challenging data
entry with the identifier ‘CVE-2018-0101’. The second and set created from the tweets collected over a period of
third tweets discuss two different threats but do not include twelve months from 50 influential Cyber security related
any CVE identifier. However, using our knowledge about accounts
Cyber security, we can associate these two tweets with the • A detailed description of an analysis and the results of the
CVE identifiers ‘CVE-2018-20714’ 1 and ‘CVE-2017-11882’ relationship between the correctly classified Cyber threat
2
respectively. Collecting these tweets with the associated CVE tweets and threat descriptions in the CVE database
identifiers is useful for Cyber threat-related applications such The rest of the paper is organized as follows. In section
as exploit prediction [7] and Indicators of Compromise (IoCs) 2, we summarize the existing work related to automatically
generation [10]. gathering Cyber OSINT from Twiter. In section 3, we present
We have developed a framework for automatically gathering our framework for the automated collection task. We evaluate
Cyber threat intelligence from Twitter. Our framework utilizes our framework and discuss our findings in section 4. In section
a novelty detection model to classify the tweets as relevant or 5, we presents our conclusions from the results of our work
irrelevant to Cyber threat intelligence. The novelty classifier and suggests directions for future work.
learns the features of Cyber threat intelligence from the threat
descriptions in the CVE database and classifies a new unseen II. R ELATED W ORK
tweet as normal or abnormal in relation to Cyber threat
In the last few years, research on using Cyber threat-relevant
intelligence. The normal tweets are considered as Cyber threat-
information available on Twitter for security purposes has
relevant while the abnormal tweets are considered as Cyber
gained significant attention. To automatically collect Cyber
threat-irrelevant. We evaluate our framework on a purpose-
threat intelligence from Twitter, several methods have been
built data set created from the tweets collected over a period of
used [7], [8], [10]–[14].
twelve months in 2018 from 50 influential Cyber security re-
The most traditional method for collecting Cyber threat-
lated accounts. During the evaluation, our framework achieved
relevant tweets is searching for the tweets containing the CVE
the highest performance of 0.643 measured by the F1-score
identifier [7]. Sabottke at. al. [7] use this collection method
for predicting Cyber exploits in the real world. Their exploit
1 https://thehackernews.com/2018/06/wordpress-hacking.html
2 https://www.trendmicro.com/vinfo/au/security/news/vulnerabilities-and-
detector uses the collected Cyber threat tweets to improve the
exploits/17-year-old-ms-office-flaw-cve-2017-11882-actively-exploited-in- precision of the prediction model and to generate early exploit
the-wild warnings. However, because the tweets that do not contain theFig. 2. Examples of the tweets about Cyber threats
CVE identifier are ignored, their exploit detector might not occurs when the positive or negative samples are not the rep-
appropriately take into account the potential exploits relating resentative of Cyber threat-relevant or Cyber threat-irrelevant
to the ignored Cyber threat tweets. tweets respectively.
Le Sceller at. al. [11] collect Cyber threat information,
III. G ATHERING C YBER T HREAT T WEETS U SING
referred to as Cyber security events, on Twitter based on a
N OVELTY C LASSIFICATION
set of related keywords. Cyber threat irrelevant information,
that might have been collected, are discarded using backlist As previously reported, our work focuses only on the
keywords. Over time, new related keywords are added into collection method of Cyber threat tweets instead of a complete
the set of the initially related keywords using a self-learned system with functional requirements such as scalability, real-
mechanism. Sapienza et al. [8] identify Cyber threat tweets time processing and security alert generation as in some
as the tweets containing a number of terms in a set of Cyber previous work [10], [13], [14]. The key idea of our method is
security related terms. Trabelsi et. al. [12] collect Cyber threat that we formulate the task of detecting Cyber threat tweets
tweets based on both the CVE identifier and a set of Cyber as a novelty classification task [18]. A novelty classifier
security related keywords. Mittal et al. [13] combine the key- needs to be trained only with positive samples without using
words based collection method and Name Entity Recognition negative samples. After being trained, the novelty classifier
(NER) to collect Cyber threat information. The drawback of subsequently applies its knowledge to decide whether a new
the keywords based collection method for Cyber threat infor- unseen tweet is normal or abnormal to the class of the positive
mation is that this method requires expert knowledge about samples. By using novelty classification, we avoid the issue
Cyber threats to choose the relevant keywords. The keywords of sampling bias toward the negative training data set.
based collection method, therefore, can easily ignore Cyber Fig. 3 shows the architecture of our framework for clas-
threat-related information and collects Cyber threat irrelevant sifying Cyber threat tweets. Our framework consists of three
information if the keywords are not carefully selected [11]. phases including pre-processing, feature extraction and novelty
Alves at. al. [14] focus on designing a completed online classification. The input of our framework includes the tweets
monitoring system for Cyber threat tweets on Twitter. Their collected from Twitter and the threat descriptions from the
monitoring system includes a Cyber threat tweet classification CVE database [4]. The CVE descriptions are used as the
module that uses supervised machine learning approach to positive samples for training our novelty classifier. The output
classify Cyber threat tweets. This module transforms tweets of our framework consists of the tweets that are classified
to vector representations and classifies the tweets as Cyber as normal, or Cyber threat-relevant, and the tweets that are
threat relevant or irrelevant using binary classification models, classified as abnormal, or Cyber threat-irrelevant.
particularly Support Vector Machines (SVM) and Multi-Layer A. Preprocessing
Perceptron (MLP) neural networks. Dionsio et. al. [10] use
The preprocessing phase is to eliminate the terms in the
word embeddings such as GloVE [15] and Word2Vec [16]
input documents that are unnecessary for identifying Cyber
for feature extraction and use the binary classification model
threat information. This phase converts the input documents
Convolutional Neural Network (CNN) [17] for classifying
into lowercase with punctuation, numbers, hyperlinks, men-
Cyber threat tweets. The collection method for Cyber threat
tions and hashtags stripped out. Stopwords in the input doc-
tweets based on binary classification requires the classifiers
uments are also removed using the default stopword list in
to be trained with both positive and negative samples, or
the Natural Language Toolkit (NLTK) package 3 . We do not
Cyber threat-relevant and Cyber threat-irrelevant tweets. This
potentially introduces the problem of sampling bias which 3 The NLTK package can be downloaded at https://www.nltk.org/Tweets No
Feature Novelty
Preprocessing is abnormal?
extraction classication Threat-
CVE List relevant
Threat-irrelevant tweet
Yes
tweet
Fig. 3. Architecture of our framework for classifying Cyber threat tweets
apply stemming and lemmatizing onto the input documents as which is defined as
it may change the meaning of them. vi .vj
cos(vi , vj ) = .
||vi || ∗ ||vj ||
B. Feature extraction The One-class Support Vector Machine (One-class SVM)
The feature extraction phase is to transform the pre- classifier [18], [23] aims at finding a function that returns a
processed documents into numerical vector representations for positive value for a normal data point of the positive class
classification. To represent each document as a vector, we and a negative value for an abnormal data point. As finding
use the Term Frequency-Invert Document Frequency (TF-IDF) the function is difficult in the original feature space, the One-
method [19], [20] which assigns weights to the document class SVM classifier maps the input data points into a high
terms as follows. Let d is a document in a corpus and t is dimensional feature space via a kernel. The mapping kernel
a term in the document. The weight of term t in document d transforms the abnormal or novel data point closer to the origin
is defined as than the members. The One-class SVM classifier then finds the
hyperplane that separates the training class from the origin
T F − IDF (t, d) = f (t, d) ∗ log(N/nt ), with maximum margin. For an input data point, the function
where f (t, d) is the number of the occurrences of term t in returns a value deciding the side of the hyperplane that the
document d, N is the total number of documents in the corpus input data point falls on. We use the implementation of One-
and nt is the number of the documents containing term t. class SVM classifier in the scikit-learn Python package 4 .
It is noted that our training corpus consists of only positive IV. P ERFORMANCE EVALUATION
samples. Therefore, the total number of documents in our
A. Experiment setting
training corpus is the total number of the positive samples.
a) Training and testing data sets: To evaluate the perfor-
mance of our framework for classifying Cyber threat tweets,
C. Novelty classification
we trained our classifier with all the CVE descriptions released
After transforming the collected tweets and the CVE de- in 2017. We tested our classifier on the tweets posted in
scriptions into numerical vectors, we use a novelty classifier 2018 from 50 influential Cyber security related accounts on
to classify each of the input tweets as normal or abnormal to Twitter. All of these Twitter accounts are known as experts or
the class of Cyber threat intelligence. To choose a suitable clas- organizations working in the Cyber security domain and each
sification model, we explore two different novelty classifiers of them has more than 5000 followers. Table I lists the 50
including Centroid [21], [22] and One-class Support Vector Twitter accounts for collecting Cyber threat tweets.
Machine [18], [23]. Since the total number of the tweets posted in 2018 from
The Centroid classifier [21], [22] decides whether an input the 50 Twitter accounts is very large (76205 tweets), it is
document is normal or abnormal to the positive class based on not practical to manually label all these tweets for verifying
the distance between the input document and the centroid of the classification performance. Therefore, we selected only a
the positive class. The centroid C of a class S of documents subset of the posted tweets to create the testing data set. To
is defined as cover all the posted tweets that were potentially relevant to
1 X Cyber threats, we weighted the relevance of each tweet to
C= vd ,
|S| Cyber threats and selected only the tweets with high relevance
d∈S
score.
where d is a document in S, vd is the vector representation of
document d and |S| is the total number of document in S. Because the training data consisted of only Cyber threat
descriptions, we assumed that the more frequently a term
Given a threshold value, an input document is classified
appears in the training data set, the more relevant is the term
abnormal to the positive class if the distance between the
to Cyber threats. The more relevant to Cyber threats a term
document and the centroid is larger than the threshold value.
is, the larger the relevance weight of the term is. Therefore,
Otherwise, the input document is classifier as normal to the
positive class. The distance between two vectors vi and vj is 4 The scikit-learn Python package can be downloaded at https://scikit-
computed as the cosine similarity between the two vectors, learn.org/TABLE I
L IST OF THE 50 T WITTER ACCOUNTS FOR COLLECTING C YBER THREAT TWEETS
avast antivirus, cyber, CyberSec News, MalwareTechBlog, lennyzeltser, securityaffairs, CSOonline, DarkReading,
helpnetsecurity, USCERT gov, Peerlyst, e kaspersky, troyhunt, jeremiahg, schneierblog, mikko, IBMSecurity, k8em0,
briankrebs, OracleSecurity, TenableSecurity, Cybersec EU, Hacker Combat, securityonion, AdobeSecurity, circl lu,
USCyberMag, Secureworks, WDSecurity, CiscoSecurity, CarbonBlack Inc, MISPProject, Binary Defense, FireEye,
EmergingThreats, InfosecurityMag, EHackerNews, TheHackersNews, TrendMicro, SecurityWeek, Sophos, threatintel,
NortonOnline, McAfee, symantec, kaspersky, RecordedFuture, alienvault, Unit42 Intel, CyberGovAU
corruption
exploitable
we defined the relevance weight of a term t to Cyber threats
component
context
subcomponent
overflow
product
as: process related
easily
cross unauthenticated unauthorized
discovered
allows
memory
result
base
http local lead affected
access
nt version privileged
ac
authenticated
rw(t) = log(1 + ) (1)
N − nt + 1 vulnerability service
versions
using
cause
kernel
site
where N is the total number of documents in the training data confidentiality
buffer application xss
id
issue execution
users read function
oracle
cve
set and nt is the total number of the documents that contain unspecified
vulnerable
data user
linux
sensitive
supported
vector
term t in the training data set. attackers
code based
earlier
windows
prior
privileges allow
android
injection
Fig. 4 illustrates the word cloud of the top 100 popular
attacker
products
terms in the training data set. It can be inferred from the figure exists use crafted web denial
execute php information
pr
parameter score crash
accessible
that the terms such as ’CVE’ and ’vulnerability’ have larger attacks
arbitrary
remote
impact
compromise
certain
used
exploit
network
successful scripting
av
relevance weights to Cyber threats than the other terms such
server
malicious
cvss
file
request
ui
impacts
disclosure
as ’service’ and ’versions’. attack
The relevance weight of a tweet to Cyber threats can be
calculated as the sum of the relevance scores of all the terms,
weighted by their occurrences, in the tweet [24]. Therefore, Fig. 4. Word cloud of the top 100 popular terms in our training data set
we defined the relevance weight of a tweet d to Cyber threats
as
as follows.
X True positives
RW (d) = f (t, d) ∗ rw(t) (2) P recision =
t∈d
True positives + False positives
and
where t is a term in tweet d, f (t, d) is the number of the True positives
Recall =
occurrences of term t in tweet d and rw(t) is the relevance True positives + False negatives
weight of term t to Cyber threats.
where True positives are the correctly classified Cyber threat-
Combining (1) and (2), the relevance weight of a tweet d relevant tweets, False positives are the Cyber threat irrelevant
to Cyber threats can be rewritten as tweets that are classified as relevant and False negatives are the
Cyber threat-relevant tweets that are classified as irrelevant.
X nt
RW (d) = f (t, d) ∗ log(1 + ) (3) F1-score is a combination of Precision and Recall given by
N − nt + 1 their harmonic mean.
t∈d
2 * Precision * Recall
We calculated the relevance weights for all the tweets posted F 1 − score =
in 2018 from the 50 Twitter users and selected only the Precision + Recall
top 3000 tweets with the highest relevance weight to create B. Results and discussions
the testing data set. The selected tweets were then manually Fig. 5 plots Precision as a function of Recall achieved by
labeled as Cyber threat-relevant or irrelevant by two of the the Centroid and the One-class SVM classifiers. Precision
authors (one is a postdoctoral researcher and the other is a PhD and Recall are computed by varying the threshold parameter
student in the field relating to Cyber security). After labeling of these classifiers for deciding whether a tweet is normal
the selected tweets, we created a challenging testing data set or anomalous to Cyber threats. Normal tweets are labeled
with 232 tweets labeled as positive and 2768 tweets labeled as Cyber threat-relevant while anomalous tweets are labeled
as negative. as Cyber threat-irrelevant. As can be seen from the figure,
b) Evaluation metrics: To measure the classification per- the Centroid classifier achieves a higher Precision rate than
formance, we used three common metrics including Precision, the One-class SVM classifier at the same Recall rate. This
Recall and F1-score. The definitions of these metrics are given means that the Centroid classifier detects less number of falseTABLE II
100 P ERFORMANCE OF OUR NOVELTY CLASSIFIER AND THE BINARY
CLASSIFIERS SVM, MLP AND CNN
80
Precision(%)
Classifier Precision Recall F1-score
60 SVM 0.653 0.608 0.629
MLP 0.638 0.578 0.606
40 CNN 0.474 0.625 0.539
Centroid Our novelty classifier 0.851 0.517 0.643
20 One-class SVM
40 60 80 100 and executed with default parameter values.
Recall(%) Table II compares the performance of our novelty classifier
and the binary classifiers SVM, MLP and CNN. It can be seen
from Table II that the binary classifiers give a higher Recall
Fig. 5. Precision as a function of Recall when varying the decision threshold
of the Centroid and One-class SVM classifiers rate than our classifier but have a notably lower Precision rate.
In term of overall performance, our classifier achieves a higher
F1-score than SVM, MLP and CNN.
positives than the One-class SVM classifier providing that both C. Analysis of classified tweets
the classifiers give the same number of true positives. The best
To demonstrate the usefulness of our classification method,
overall performance, in term of F1-score, is 0.643 given by
we examined the relationship between the correctly classified
the Centroid classifier corresponding to the Precision value of
Cyber threat-relevant tweets and threat descriptions in the CVE
0.851 and the Recall value of 0.517. In further analysis, we
database. Our classifier correctly labeled 120 Cyber threat-
used the Centroid classifier with the threshold parameter value
relevant tweets out of the 232 Cyber threat-relevant tweets in
that resulted in these Precision and Recall rates.
the training data set. Out of the 120 correctly labeled Cyber
a) Comparison with baselines: To show the effectiveness
threat-relevant tweets, 39 tweets contained the CVE identifier
of our classification framework, we further compared our
and 81 tweets did not. Since the recent research has well
classifier with several baselines. The first baseline is the
analyzed Cyber threat-relevant tweets with CVE identifier [7],
collection method of Cyber threat tweets based on the CVE
[10], [14], we focus our analysis on only Cyber threat-relevant
identifier [7]. This collection method simply collects only the
tweets without CVE identifier.
tweets that contain the CVE identifier and ignores the tweets
For each of the 81 Cyber threat-relevant tweets without
that do not have a CVE identifier. Applying to our testing
CVE identifier, we collected the top 10 CVE descriptions
data set, 61 tweets with CVE identifier were collected but
which were most similar to the tweet 6 7 . Our annotators were
only 53 of them were relevant to Cyber threats. Recalled that
then asked to identify that if each of the Cyber threat-relevant
the total number of Cyber threat-relevant tweets in our testing
tweets refers to the same threat with at least one of the top
data set was 232. Therefore, collecting the Cyber threat tweets
10 CVE descriptions. We find that 34 of the 81 Cyber threat-
based on the CVE identifier gave the Precision rate of 53/61
relevant tweets without CVE identifier refer to the same threat
(≈0.869) and the Recall rate of 53/232 (≈0.228). The F1-score
with at least a CVE description. Table III lists some examples
given from these Precision and Recall values is 0.361, which
of these tweets and the corresponding CVE description. The
is significantly below the F1-score of 0.643 achieved by our
other 47 Cyber threat-relevant tweets without CVE identifier
classifier.
refer to a threat that is not described by the top 10 CVE
We also compared our classifier with other baselines includ-
descriptions. Table IV lists some examples of these tweets.
ing Support Vector Machine (SVM), Multilayer Perceptron
Our analysis of the classification results suggests that Cyber
(MLP) and Convolutional Neural Network (CNN) [10], [14].
threat-relevant tweets on Twitter do not often include the
These baselines are binary classification models which require
CVE identifier of the related threats. However, the related
to be trained with both positive and negative samples. To
CVE identifier of a Cyber threat-relevant tweet can be iden-
obtain the negative samples, we randomly collected 3000
tified by matching the tweet with the top 10 most similar
tweets that were irrelevant to Cyber threats from the 50 Twitter
CVE descriptions. The matched CVE description, therefore,
accounts (the tweets were verified by the two authors who
provides additional information that are valuable for Cyber
labeled the testing data set). The implementation of SVM and
threat-related applications such as exploit prediction [7] and
MLP are provided in the scikit-learn Python package. The
Indicators of Compromise (IoCs) generation [10].
implementation of CNN is provided in the TensorFlow Python
package 5 . All the binary classification models were trained 6 The similarity between a tweet and a CVE description was calculated by
the cosine similarity measure
5 The TensorFlow Python package can be downloaded at 7 The tweets were compared with only the CVE descriptions publicly
https://www.tensorflow.org disclosed between 01/01/2015 and 30/04/2019TABLE III
E XAMPLES OF THE TWEETS WITHOUT CVE IDENTIFIER THAT REFER TO A THREAT DESCRIBED BY AT LEAST ONE OF THE TOP 10 MOST SIMILAR CVE
DESCRIPTIONS .
Tweet CVE description CVE ID
Newly Disclosed Cross-Site Scripting (XSS) Cross-site scripting (XSS) vulnerability in the Enhanced Image CVE-2018-9861
Vulnerability Resides in the Popular # CKEdi- (aka image2) plugin for CKEditor (in versions 4.5.10 through
tor Rich-Text Editor Library That Comes Pre- 4.9.1; fixed in 4.9.2), as used in Drupal 8 before 8.4.7 and
Integrated in Drupal Core. [Rated Moderately 8.5.x before 8.5.2 and other products, allows remote attackers
Critical] Affected Versions x0014 CKEditor to inject arbitrary web script through a crafted IMG element.
4.5.11 and later versions (Drupal 8 & 7)
DHCP client application that allows systems to DHCP packages in Red Hat Enterprise Linux 6 and 7, Fedora CVE-2018-1111
automatically receive network parameters like 28, and earlier are vulnerable to a command injection flaw
IP addresses contains # security vulnerability in the NetworkManager integration script included in the
that allows # hackers to run arbitrary com- DHCP client. A malicious DHCP server, or an attacker on
mands the local network able to spoof DHCP responses, could use
this flaw to execute arbitrary commands with root privileges
on systems using NetworkManager and configured to obtain
network configuration using the DHCP protocol.
TABLE IV
E XAMPLES OF THE TWEETS WITHOUT CVE IDENTIFIER THAT REFER TO A THREAT NOT DESCRIBED BY ANY OF THE TOP 10 MOST SIMILAR CVE
DESCRIPTIONS
Tweet
Cb TAU recently detected a # Squiblydoo attack attempting to leverage regsvr32.exe & scrobj.dll to download and execute scriptlet
code via an # XML file. This attack also attempts to use taskeng.exe and the schedule service as persistence mechanisms via
The Sharpshooter technique can allow attackers to use a script to run a .NET binary directly from memory not ever needing to reside
on disk. Using durable AMSI-aided detection Windows Defender ATP disrupts campaigns and a steady hum of daily activity.
V. C ONCLUSION related entities to the current framework.
ACKNOWLEDGMENT
In this paper, we proposed an automated framework for
gathering Cyber threat intelligence from Twitter. Our col- The work has been supported by the Cyber Security Re-
lection framework utilizes a novelty detection model that search Centre Limited whose activities are partially funded
learns the features of Cyber threat intelligence from the by the Australian Governments Cooperative Research Centres
CVE descriptions and classifies each input tweet as either Programme.
normal or anomalous to the class of Cyber threat intelligence. R EFERENCES
We evaluated our framework on a challenging data set of [1] U. government, “How to protect your networks from ransomware.”
the tweets collected over the twelve months of 2018 from [2] C. Ventures, “Cybersecurity market report,” 2018.
50 influential Cyber security related accounts. Our classifier [3] Gartner, “Definition: Threat intelligence.”
[4] MITRE, “Common vulnerabilities and exposures (cve).”
achieved a performance of 0.643 measured by F1-score for [5] U. government, “National vulnerability database (nvd).”
classifying Cyber threat-relevant tweets, which is higher than [6] R. D. Steele, “Open source intelligence: What is it? why is it important
the performance of several baselines including SVM, MLP to the military?,” American Intelligence Journal, pp. 35–41, 1996.
[7] C. Sabottke, O. Suciu, and T. Dumitras, “Vulnerability disclosure in
and CNN. Our analysis on the correctly classified Cyber the age of social media: Exploiting twitter for predicting real-world
threat-relevant tweets suggests that these tweets do not often exploits.,” in USENIX Security Symposium, pp. 1041–1056, 2015.
mention the CVE identifier of the related threats. Collecting [8] A. Sapienza, S. K. Ernala, A. Bessi, K. Lerman, and E. Ferrara, “Dis-
cover: Mining online chatter for emerging cyber threats,” in Companion
these tweets and finding the related CVE identifier, therefore, of the The Web Conference 2018 on The Web Conference 2018, pp. 983–
provide further information that are valuable for Cyber threat- 990, International World Wide Web Conferences Steering Committee,
related applications. 2018.
[9] A. Queiroz, B. Keegan, and F. Mtenzi, “Predicting software vulnerability
For the future work, our classification framework for Cyber using security discussion in social media,” in European Conference
threat-relevant tweets can be potentially enhanced by combin- on Cyber Warfare and Security, pp. 628–634, Academic Conferences
ing it with word embeddings [15], [16] for feature extraction. International Limited, 2017.
[10] N. Dionı́sio, F. Alves, P. M. Ferreira, and A. Bessani, “Cyberthreat
The classification performance can also be improved by adding detection from twitter using deep neural networks,” arXiv preprint
a phase of Named Entity Recognition (NER) for vulnerability- arXiv:1904.01127, 2019.[11] Q. Le Sceller, E. B. Karbab, M. Debbabi, and F. Iqbal, “Sonar:
Automatic detection of cyber security events over the twitter stream,”
in Proceedings of the 12th International Conference on Availability,
Reliability and Security, p. 23, ACM, 2017.
[12] S. Trabelsi, H. Plate, A. Abida, M. M. B. Aoun, A. Zouaoui, C. Mis-
saoui, S. Gharbi, and A. Ayari, “Mining social networks for software
vulnerabilities monitoring,” in New Technologies, Mobility and Security
(NTMS), 2015 7th International Conference on, pp. 1–7, IEEE, 2015.
[13] S. Mittal, P. K. Das, V. Mulwad, A. Joshi, and T. Finin, “Cybertwitter:
Using twitter to generate alerts for cybersecurity threats and vulnerabil-
ities,” in Proceedings of the 2016 IEEE/ACM International Conference
on Advances in Social Networks Analysis and Mining, pp. 860–867,
IEEE Press, 2016.
[14] F. Alves, A. Bettini, P. M. Ferreira, and A. Bessani, “Processing tweets
for cybersecurity threat awareness,” arXiv preprint arXiv:1904.02072,
2019.
[15] J. Pennington, R. Socher, and C. Manning, “Glove: Global vectors
for word representation,” in Proceedings of the 2014 conference on
empirical methods in natural language processing (EMNLP), pp. 1532–
1543, 2014.
[16] Q. Le and T. Mikolov, “Distributed representations of sentences and doc-
uments,” in International Conference on Machine Learning, pp. 1188–
1196, 2014.
[17] Y. Kim, “Convolutional neural networks for sentence classification,”
arXiv preprint arXiv:1408.5882, 2014.
[18] B. Schölkopf, R. C. Williamson, A. J. Smola, J. Shawe-Taylor, and
J. C. Platt, “Support vector method for novelty detection,” in Advances
in neural information processing systems, pp. 582–588, 2000.
[19] T. Joachims, “A probabilistic analysis of the rocchio algorithm with tfidf
for text categorization.,” tech. rep., Carnegie-mellon univ pittsburgh pa
dept of computer science, 1996.
[20] G. Salton and C. Buckley, “Term-weighting approaches in automatic
text retrieval,” Information processing & management, vol. 24, no. 5,
pp. 513–523, 1988.
[21] F. E. Grubbs, “Procedures for detecting outlying observations in sam-
ples,” Technometrics, vol. 11, no. 1, pp. 1–21, 1969.
[22] H. Guan, J. Zhou, and M. Guo, “A class-feature-centroid classifier for
text categorization,” in Proceedings of the 18th international conference
on World wide web, pp. 201–210, ACM, 2009.
[23] L. M. Manevitz and M. Yousef, “One-class svms for document classifi-
cation,” Journal of machine Learning research, vol. 2, no. Dec, pp. 139–
154, 2001.
[24] G. Domeniconi, G. Moro, R. Pasolini, and C. Sartori, “A comparison
of term weighting schemes for text classification and sentiment analysis
with a supervised variant of tf. idf,” in International Conference on Data
Management Technologies and Applications, pp. 39–58, Springer, 2015.You can also read
